More Evidence of the CFAA Post-Van Buren/hiQ Jurisprudential Anarchy (Guest Blog Post)
by guest blogger Kieran McCarthy
The Computer Fraud and Abuse Act (“CFAA”) is a law that was written before the commercial Internet was a thing (1984). And many judges—particularly Boomers in the rarified air of the appellate courts—grew up in an era before the Internet was a thing. And so they like to interpret the CFAA using simple, non-technical language that has nothing to do with the internet or technology. Liability under the CFAA stems from simple “gates-up-or-down inquiry.” The CFAA does not apply to “publicly available” websites.
But the problem with simple, non-technical interpretations of the CFAA is that these non-technical interpretations must be applied to not-so-simple technologies online, where analogies to medieval entranceways and public squares do little to guide lower courts in making their decisions.
Two recent CFAA cases show instances where applying these simple standards is not so simple. Specifically, two district courts in the 9th Circuit were tasked with applying the hiQ Labs II recent guidance regarding “publicly available” websites.
In April, the 9th Circuit in hiQ Labs II said:
a defining feature of public websites is that their publicly available sections lack limitations on access; instead, those sections are open to anyone with a web browser. In other words, applying the “gates” analogy to a computer hosting publicly available webpages, that computer has erected no gates to lift or lower in the first place. Van Buren therefore reinforces our conclusion that the concept of “without authorization” does not apply to public websites.
hiQ Labs II at 36.
Got it! The CFAA does not apply to public websites!
On May 27, the district court in the Western District of Washington published an order denying a motion for reconsideration in the matter of United States v. Paige A. Thompson, 2022 WL 2064854 (W.D. Wash. June 8, 2022). In that case, the defendant figured out a way to identify misconfigured web applications that permitted outside commands to reach the servers. The defendant then got access to those servers and set up cryptocurrency mining operations on the rented but not used servers.
Brilliant, devious, and sketchy, but is it a violation of the CFAA? After all, what the defendant did here was access publicly available websites. Granted, these were publicly available websites that should have been configured differently to make them non-public. And these publicly available websites were very hard to find. But the defendant found them using a tool called a proxy scanner, a perfectly legal tool that allows you to search lots of IP addresses per second and learn lots of interesting things about them. They’re available for legal and useful information security purposes and they can be used as part of not-so-nice activities such as DDoS attacks (and they can also be used to help prevent such attacks) and finding misconfigured security settings.
Either way, as I wrote when Van Buren first came out, proxy tools don’t fit neatly into the whole “gates-up-or-down” metaphor and it was a matter of time before courts were left deal with the mess.
So how did the Western District of Washington resolve this tricky question? With another metaphor, baby!
The servers at issue in this case occupy a much murkier space than public LinkedIn profiles. The indictment alleges that in order to access the information on these servers, defendant employed a technological process that went beyond merely typing a URL into a browser, or a name into Google, as one would to access a public LinkedIn profile. While proxy scanners may be available to the general public, it is unclear that this is a technology that the general public actually uses. Lock pick sets are also available to the general public and are typically legal to possess, but a house is not open to the general public simply because a skilled locksmith can successfully pick the lock. Cf. hiQ II, 31 F.4th at 1196 (explaining that the CFAA’s legislative history describes CFAA-prohibited conduct as analogous to “breaking and entering”). There is therefore an unresolved question of fact regarding whether these servers were open to the “general public.”
Thompson at 2-3.
As I’ve said before, the great thing about metaphors is that you can do whatever you want with them. There’s no standard of rigor or way to measure whether your metaphor fits well with what you’re describing. It’s all about what works for your imagination!
That said, lock picks are a terrible metaphor for proxy scanners. Proxy scanners don’t allow you to open something that isn’t already open, like a lock pick. They allow you to find something that isn’t readily visible without the use of the proxy scanner.
A much better metaphor for proxy scanners would be infrared glasses!
So imagine someone leaving a secret package in the middle of a city that one could only find with the use of infrared glasses. And then imagine some person with infrared glasses who is not the intended recipient of package using his handy-dandy infrared glasses to find the package and take it without asking.
That’s not very nice, but is it breaking and entering? Is it robbery? No! It’s fortuitous package discovery! This is the very reason we’ve been carrying around our infrared glasses for all these many years!
Either way, this motion for reconsideration, and the trial that followed, did not end well for Ms. Thompson.
A month later, about 22 hours south on the I-5 & I-10, the District Court of Arizona reached a similar conclusion in the matter of Mark Alan Greenburg v. Amanda Wray, 2022 WL 2176499 (D. Ariz. June 16, 2022). This is a civil claim, but again, the CFAA is a criminal statute, so any interpretation of the statute in a civil context potentially creates criminal liability for someone else later.
Amanda Wray, depending on your political inclinations, is not an especially likable defendant. She hosts a Facebook group where she writes cranky things about school mask policies, bashes LGBTQ policies, says a bunch of things that aren’t true about vaccines, and talks with her friends about tinfoil hats (ok, so I made that last part up).
Plaintiff’s son serves on the Scottsdale Unified No. 48 School District Board. Plaintiff, not being a particular fan of the Defendants, collected a bunch of dirt on them, including photographs, quotes, videos, comments, and political memes. He stored them on his personal Google Drive. Plaintiff shared access to the Google Drive with three people. Unbeknownst to the Plaintiff, the settings of his Google Drive also allowed anyone else to access the drive by typing in the exact URL.
You know what happens next! The tinfoil hat folks got access to the URL and started doing a bunch of stuff with the Google Drive that Plaintiffs didn’t like.
Again, not very nice, but is it a violation of the CFAA? Is the Plaintiff’s failure to set up his security settings properly sufficient to invoke the CFAA against the Defendants?
This is a close call. Plaintiff acknowledges that the portion of the Google Drive accessed by Amanda was not password protected; Plaintiff had inadvertently enabled the setting that allowed anyone with the URL to access the site. But, Plaintiff alleges that this setting did not per se render the Google Drive public, given that the URL was a string of 68 characters. What’s more, the Google Drive was not indexed by any search engines, unlike the website in hiQ. Therefore, it wasn’t just “anyone with a browser” who could stumble upon the Google Drive on a web search—the internet denizen wishing to access the Google Drive needed to obtain the exact URL into the browser. By the Court’s eye, Plaintiff alleges that the Google Drive had limitations and thus persons attempting to access it needed authorization.
Plaintiff alleges that the disclosure of the URL—the limitation —did not grant Amanda authorization to access the Google Drive. He asserts that the disclosure was inadvertent. As the Ninth Circuit has recognized, inadvertent disclosure of the means around a limitation on access does not per se grant authorization. See Theofel v. Farey Jones, 359 F.3d 1066, 1074, 1078 (9th Cir. 2004). Plaintiff has sufficiently plead the elements of a violation of 18 U.S.C. § 1030(a)(2).
Greenburg v. Wray at 2.
Here, the court attempts to parse the hiQ Labs II opinion very literally using a fine distinction of what constitutes “anyone with a browser.” While the court acknowledges that anyone with a web browser can find LinkedIn profiles, the court thinks this situation is different because “the internet denizen wishing to access the Google Drive needed to obtain the exact URL into the browser [sic].”
Huh? I have no idea what that sentence means or how it could be used to limit the phrase “anyone with a browser.” Is the court equivocating web browsers and Google searches? The last time I checked, the address bar where you can search by URL is still part of the standard web browser and that has been true since the Netscape days. So finding something with a public URL is indeed available to “anyone with a browser.”
Old-school CFAA nerds might recall that this fact pattern largely harks back to the criminal prosecution of United States v. Aurenheimer, where Orin Kerr, among many other prestigious names, served as pro bono counsel for the defendant. In that case, the defendant was prosecuted in New Jersey for scraping a hard-to-find URL on AT&T’s web page. The conviction was eventually vacated, but the prosecution itself was seen as a low point (along with the infamous Aaron Swartz prosecution) for overzealous prosecutors pursuing scraping claims under the CFAA.
Both courts acknowledge that these were close calls, but neither court mentioned the rule of lenity, which dictates that ambiguities in criminal statutes should be resolved in the way that is most favorable to the defendant.
The problem with expanding criminal liability for accessing public websites—even for unsavory defendants such as these—is that now these cases serve as precedent for future cases, meaning that this opens the door for prosecutors to pursue ever-more benign conduct using this case as precedent.
Just when you thought criminal prosecutions under the CFAA for accessing public websites were a thing of the past…